End Users: Data Protection Is Your Responsibility Too

- Becca Bauer, Director of Marketing & PR at BOHH Labs

In a recent post we addressed how it is time for enterprises to take data security seriously and view it as a legal responsibility to their users and customers. While enterprises who interact with user data must have accountability and responsibility on how its protected, this is not a one-way street.

As an end user, you do have some control over security of your data, and more importantly, you should exert that control over both your data and within your relationship with your cloud provider. What does this mean?

On a corporate level, this means not allowing a cloud provider to hold encryption keys. If you pass your security to a third party, and they own and store your encryption keys, then you have lost control of your information. For example, let’s say an unhappy employee, an ex-employee who was recently sacked, or an employee who has an axe to grind uses inside knowledge to share a virus, share documents with rivals, or misuse company and personnel data. If this organization is a cloud store or service provider that also holds and owns your encryption keys, then in any one of these cases your information is far from safe.

While these scenarios may seem far-fetched, many breaches have occurred this way. As such, it is imperative that you own and store these separately from your cloud suppliers. If you do not, then your information can be stolen or even subpoenaed without your knowledge.

On a personal level, end user accountability means being careful about what information is placed in a cloud store or social media network, or about how you behave regarding services that interact with sensitive data, such as online banking or e-commerce.

The truth is not all enterprises and cloud services are the same, so you should not assume they all have the same stance and protocols on protecting your data. It is important to treat each company and/or service you share your information with on a case-by-case basis, especially depending on the sensitivity of the data.

There are many ways for users to take control of keeping their data better protected:

• Set data permissions: You ultimately have responsibility for your data. If your bank account is hacked, you may need to prove your password was protected and you did what was necessary to guard against a breach.  You must also be careful of the apps you download and if these apps do require a password, where else have you used the same one? Cognizant of this, we decide to pick a new password and check “Remember Me.”  This makes it easier for us but doing so gives the site or application a cookie that is open to misappropriation. 
• Less is more: Keep your most sensitive information on the fewest number of different computers or cloud-based tools as possible.  Having fewer copies of your most sensitive documents helps keep it more protected. While the cloud provides convenience and ability to access information from multiple devices, are you really going to need to access all your bills, bank accounts, investment statements from anywhere? Disable Remote Desktop (RDP) unless you require these features. Additionally, it is best not to enable remote connections to your PC unless needed at the time. Instead, enable the remote connections when needed, and disable them when you're finished.
• Be conscious of where you access your data: Online tools and mobile device give us anywhere, anytime accessibility, but far too often, we don’t think too much about where we are accessing our data from. For example, by using public Wi-Fi, it's rather simple for someone to intercept your data in a man-in-the-middle attack by first setting up a network and naming it "Free Wi-Fi;" Instead of simply connecting on, ask the restaurant or airport staff what the name of their network is. Better yet, learn how to tether your phone and turn it in to your personal hotspot to keep other prying people out.  Also keep in mind when traveling —if you sync your phone to rental car system, did you remember to wipe it before returning the car rather than trusting that the rental company will do it? 

What we forget with living in an online world is that our data, everything from personal to financial, lives online and we often hand it off to others without a second thought. As our world becomes increasingly mobile, is it time to re-evaluate the value our data holds and start taking accountability for the care of it, like we do of our physical things, and not just rely on the organizations we hand it off to to keep it protected.